A fake Google+ page for Bank of America has put both the bank and Google in a bad light.
Just one day after Google rolled out its new business feature last Monday, a group of hackers set up a Google+ page using Bank of America’s name, but without the bank’s knowledge.
Designed to look just like an official BofA page, it was instead devised by people who tricked Google into letting them create a page with the bank’s name and contact information, according to Sophos’ Naked Security blog. Rather than promoting the bank, the page mocked it with insulting taglines, photos, and posts. Though the page has since been removed by Google,Naked Security included a screenshot highlighting some of the content, which I’ve reproduced below:
Some of the posts also took a nasty turn.
“Starting tomorrow, all Occupy Wall Street protestors with Bank of America accounts around the country will have their assets seized as part of BofA’s new Counter-Financial-Terrorism policy,” read one post published by the left-leaning Talking Points Memo blog. “You will sit down and shut up, or we will foreclose on you.”
A BoFA spokesman confirmed to CNET that the bank shared its concerns over the imposter page with Google, and that it was subsequently taken down. After removing the page, Google turned over control of the name back to Bank of America, according to Naked Security. Theofficial BofA Google+ page now includes a “verfied” check mark next to it, apparently as proof that it’s legitimate.
But the incident calls into question how Google authenticates Google+ business pages. AGoogle+ page explains the steps for getting a verification badge, but the process seems more reactive than preventative.
“Since this is primarily a security mechanism, there’s no way to apply for a verification badge,” explained Google. “If we think you or your page might benefit from a badge, we’ll reach out to manually verify you. If you believe a profile or page is impersonating you or your business, report the profile or page and select the ‘Impersonation’ option.”
Google also advises people who notice pages with badges that don’t look right to report the page for abuse, and says the company will “take action if necessary.”
Google does offer one other form of authentication. Businesses are being asked to put a snippet of HTML code on both their corporate Web sites and their Google+ pages to tie the two together and provide some means of verification. The company uses a similar process to authenticate users who want to set up Google Analytics accounts.
But for now, Google’s process does seem to open the door for brandjacking, where virtually anyone can create a Google+ page using a company name not already in use. And since Google+ pages are just getting off the ground, hackers and others are likely to find a lot of company names still ripe for the taking.
In response to CNET’s request for comment, a Google spokeswoman said that “we do not comment on individual Google+ profiles or pages. You can reference our User Content and Conduct Policy for more information.”
Updated 10 a.m. PT with information on using HTML code to link a Web site and Google+ page.